asyncrat | 3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

920KB
MD5

df9eddff9512b4eff624b492bdb8c791
SHA1

aa4623f25c3aa1687cc38b179246ae5874ee017f
SHA256

3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59
SHA512

d5abd0dade4229cda769b5c365dc37e0c2511683b2bd77f6b6bcc1541870280c642a0e24862d8afccff991b346b1fe5a8484328ea3af24acec1c6527253ac91e
SSDEEP

12288:4MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9niwQiKDKqaAs:4nsJ39LyjbJkQFMhmC+6GD9nhKeFf

Score

10^/10

asyncrat stormkitty default credential_access discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7409950713:AAGOgqTx-C_IXW4TMVH0D3NzyJW8XztSM_c/sendMessage?chat_id=6059920057

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 7 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233e4-5.dat	family_stormkitty
behavioral2/files/0x0007000000023449-66.dat	family_stormkitty
behavioral2/memory/4856-129-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty
behavioral2/memory/5076-130-0x00000000006C0000-0x00000000006F2000-memory.dmp	family_stormkitty
behavioral2/memory/3524-517-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty
behavioral2/memory/3524-598-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty
behavioral2/memory/3524-622-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x00090000000233e4-5.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
5076	._cache_Server.exe
3524	Synaptics.exe
2656	._cache_Synaptics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Server.exe

Drops desktop.ini file(s) 14 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	._cache_Synaptics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
56	pastebin.com
57	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
512	netsh.exe
2540	cmd.exe
3036	netsh.exe
2412	cmd.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4896	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
5076	._cache_Server.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
5076	._cache_Server.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe
2656	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	._cache_Server.exe
Token: SeDebugPrivilege	2656	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4896	EXCEL.EXE
4896	EXCEL.EXE
4896	EXCEL.EXE
4896	EXCEL.EXE
4896	EXCEL.EXE
4896	EXCEL.EXE

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 5076	4856	Server.exe	82
PID 4856 wrote to memory of 5076	4856	Server.exe	82
PID 4856 wrote to memory of 5076	4856	Server.exe	82
PID 4856 wrote to memory of 3524	4856	Server.exe	83
PID 4856 wrote to memory of 3524	4856	Server.exe	83
PID 4856 wrote to memory of 3524	4856	Server.exe	83
PID 3524 wrote to memory of 2656	3524	Synaptics.exe	84
PID 3524 wrote to memory of 2656	3524	Synaptics.exe	84
PID 3524 wrote to memory of 2656	3524	Synaptics.exe	84
PID 5076 wrote to memory of 2540	5076	._cache_Server.exe	97
PID 5076 wrote to memory of 2540	5076	._cache_Server.exe	97
PID 5076 wrote to memory of 2540	5076	._cache_Server.exe	97
PID 2540 wrote to memory of 2884	2540	cmd.exe	99
PID 2540 wrote to memory of 2884	2540	cmd.exe	99
PID 2540 wrote to memory of 2884	2540	cmd.exe	99
PID 2540 wrote to memory of 3036	2540	cmd.exe	100
PID 2540 wrote to memory of 3036	2540	cmd.exe	100
PID 2540 wrote to memory of 3036	2540	cmd.exe	100
PID 2540 wrote to memory of 1696	2540	cmd.exe	101
PID 2540 wrote to memory of 1696	2540	cmd.exe	101
PID 2540 wrote to memory of 1696	2540	cmd.exe	101
PID 2656 wrote to memory of 2412	2656	._cache_Synaptics.exe	102
PID 2656 wrote to memory of 2412	2656	._cache_Synaptics.exe	102
PID 2656 wrote to memory of 2412	2656	._cache_Synaptics.exe	102
PID 2412 wrote to memory of 2760	2412	cmd.exe	104
PID 2412 wrote to memory of 2760	2412	cmd.exe	104
PID 2412 wrote to memory of 2760	2412	cmd.exe	104
PID 2412 wrote to memory of 512	2412	cmd.exe	105
PID 2412 wrote to memory of 512	2412	cmd.exe	105
PID 2412 wrote to memory of 512	2412	cmd.exe	105
PID 2412 wrote to memory of 2740	2412	cmd.exe	106
PID 2412 wrote to memory of 2740	2412	cmd.exe	106
PID 2412 wrote to memory of 2740	2412	cmd.exe	106
PID 5076 wrote to memory of 884	5076	._cache_Server.exe	107
PID 5076 wrote to memory of 884	5076	._cache_Server.exe	107
PID 5076 wrote to memory of 884	5076	._cache_Server.exe	107
PID 884 wrote to memory of 2040	884	cmd.exe	109
PID 884 wrote to memory of 2040	884	cmd.exe	109
PID 884 wrote to memory of 2040	884	cmd.exe	109
PID 884 wrote to memory of 5004	884	cmd.exe	110
PID 884 wrote to memory of 5004	884	cmd.exe	110
PID 884 wrote to memory of 5004	884	cmd.exe	110
PID 2656 wrote to memory of 928	2656	._cache_Synaptics.exe	111
PID 2656 wrote to memory of 928	2656	._cache_Synaptics.exe	111
PID 2656 wrote to memory of 928	2656	._cache_Synaptics.exe	111
PID 928 wrote to memory of 4416	928	cmd.exe	113
PID 928 wrote to memory of 4416	928	cmd.exe	113
PID 928 wrote to memory of 4416	928	cmd.exe	113
PID 928 wrote to memory of 2280	928	cmd.exe	114
PID 928 wrote to memory of 2280	928	cmd.exe	114
PID 928 wrote to memory of 2280	928	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2884
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3036
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2040
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5004
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:512
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2280

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
920KB

MD5
df9eddff9512b4eff624b492bdb8c791

SHA1
aa4623f25c3aa1687cc38b179246ae5874ee017f

SHA256
3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59

SHA512
d5abd0dade4229cda769b5c365dc37e0c2511683b2bd77f6b6bcc1541870280c642a0e24862d8afccff991b346b1fe5a8484328ea3af24acec1c6527253ac91e

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
49eb0935615a4803b910fd0b269b8d2f

SHA1
cee9426c9f10da05c76c91ab63e77d891353d16b

SHA256
12ac1fb6321c89b8d05b9c16f92b82d3b56c900e3fe2fb67272e988fd0688736

SHA512
b2710781bdc421b7cf9be4698902e549d09a5a1702bb4e378a8c98f15da1394f1020ce3b42b3e276889f3a4670d37a203eb47024482e08e30d7ada8d3f6f6b47

Download Submit
C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
c589f6f959a2183f828ae23b141b5bcc

SHA1
ae24a083eaaae4634648ff9445f7883c06be5713

SHA256
d3026af50022bafe8ea9815a58fa67d120fb2a72e8e8e85356f51ecbe0d4d462

SHA512
bb3f429d59aa1a39c24b1bd568e0a39e42d3056b7d188daa2b5055300d3ee14440d84165d96e992727c95816f5f38e338e6a5c789f6325ae7756cc68f3cbbab4

Download Submit
C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe

Filesize
175KB

MD5
33d7934b7f436cde6b5f374c179fd228

SHA1
0b985932346e625934f2100eab2f62406897dfdf

SHA256
f262e3910d40c694d77b77aa4bc9a62abdb0394efed57fab03dd86834c333c96

SHA512
501454fdb67cc44ce136bedc3fdc0594bb684ebdca9593e2d462f4c553b6a2efd0874e33963c0ee4e4cef64752c1b4ec3869188b85cb08066c74ffcb85f740b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E975E00

Filesize
24KB

MD5
aff2f30290245b1c96caa35c035be8e8

SHA1
fa1357999856ac3a30ee19d2f80ff4b8c9dc3cfb

SHA256
a50608d0045ab9eae80521010b253cd8c97d81e8ec0634e43e95a5e7cf56d45e

SHA512
40e10e2cb5d5fbecffd9f41048c404a27ea84a1a83ccf6ee58dc1aa4898bf965c08805dcaf68c7a4bea5695c389f61315462325a1b77562546f60058639b853f

Download Submit
C:\Users\Admin\AppData\Local\Temp\o6mzKLyx.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
81412f7f844b75a6c65ed71eac0b9e61

SHA1
39b14eb48e13daaf94023482666fc9e13118ba72

SHA256
e37ca7753860c60248b70828432c8e018a3788479808fdfdbc4d3b369b381019

SHA512
63f2f6af6974091fb8de9dae945b392bb5f68abe66f7d9e3906089bb31f8e7ae2be03fcce44288514678b2b79eb309667b4607e9132183d1bb9a631ad65a983a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp.dat

Filesize
114KB

MD5
242b4242b3c1119f1fb55afbbdd24105

SHA1
e1d9c1ed860b67b926fe18206038cd10f77b9c55

SHA256
2d0e57c642cc32f10e77a73015075c2d03276dd58689944b01139b2bde8a62a1

SHA512
7d1e08dc0cf5e241bcfe3be058a7879b530646726c018bc51cc4821a7a41121bcda6fbfdeeca563e3b6b5e7035bdd717781169c3fdbd2c74933390aa9450c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B86.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B89.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\Desktop\~$UnblockUse.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/2656-572-0x0000000006ED0000-0x0000000006EE2000-memory.dmp

Filesize
72KB

Download
memory/3524-598-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3524-518-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3524-517-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3524-131-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3524-622-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4856-0-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/4856-129-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4896-194-0x00007FF9A9FF0000-0x00007FF9AA000000-memory.dmp

Filesize
64KB

Download
memory/4896-196-0x00007FF9A9FF0000-0x00007FF9AA000000-memory.dmp

Filesize
64KB

Download
memory/4896-193-0x00007FF9A9FF0000-0x00007FF9AA000000-memory.dmp

Filesize
64KB

Download
memory/4896-198-0x00007FF9A7890000-0x00007FF9A78A0000-memory.dmp

Filesize
64KB

Download
memory/4896-509-0x00007FF9A9FF0000-0x00007FF9AA000000-memory.dmp

Filesize
64KB

Download
memory/4896-508-0x00007FF9A9FF0000-0x00007FF9AA000000-memory.dmp

Filesize
64KB

Download
memory/4896-507-0x00007FF9A9FF0000-0x00007FF9AA000000-memory.dmp

Filesize
64KB

Download
memory/4896-506-0x00007FF9A9FF0000-0x00007FF9AA000000-memory.dmp

Filesize
64KB

Download
memory/4896-197-0x00007FF9A9FF0000-0x00007FF9AA000000-memory.dmp

Filesize
64KB

Download
memory/4896-199-0x00007FF9A7890000-0x00007FF9A78A0000-memory.dmp

Filesize
64KB

Download
memory/4896-195-0x00007FF9A9FF0000-0x00007FF9AA000000-memory.dmp

Filesize
64KB

Download
memory/5076-551-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/5076-553-0x0000000006110000-0x00000000066B4000-memory.dmp

Filesize
5.6MB

Download
memory/5076-566-0x0000000005BF0000-0x0000000005BFA000-memory.dmp

Filesize
40KB

Download
memory/5076-448-0x0000000072AAE000-0x0000000072AAF000-memory.dmp

Filesize
4KB

Download
memory/5076-192-0x0000000004F50000-0x0000000004FB6000-memory.dmp

Filesize
408KB

Download
memory/5076-130-0x00000000006C0000-0x00000000006F2000-memory.dmp

Filesize
200KB

Download
memory/5076-118-0x0000000072AAE000-0x0000000072AAF000-memory.dmp

Filesize
4KB

Download